Privacy Notice
GSS Privacy Notice
Introduction
Dated 20 March 2026
www.gss-rose.com (our website) is provided by GSS UK Services Limited (GSS).
In this Privacy Notice, unless stated otherwise, all defined terms shall have the meaning given to these terms in GDPR[1] and/or as set out in our Glossary of Terms.
This Privacy Notice explains how your Personal Data is Processed by GSS, where GSS is determined as a data Controller. This applies to data collected through our website (for example, when you submit your data through our online forms, or collected during interactions you may have with us (for example, when you attend our events, forums, trainings, or when you call us or send us emails or mail)). In this regard, GSS will Process all your Personal Data in compliance with EU & UK GDPR and the Data Protection Act 2018 (together known as the Data Protection Laws).
Please ready this Privacy Notice carefully as it contains important information about who we are and how and why we collect, store, use and share any information relating to you. It also explains your rights in relation to your Personal Data, and how to contact us (or a relevant regulator) in the event you have a complaint.
This Privacy Notice does not apply to any Processing of Personal Data Processing by GSS when providing its services as a data Processor to GSS customers (GSS Users) for the provision of our services. Please refer to our separate Processor Data Protection Policy for further information of when GSS is engaged as a data Processor. Our Processor Data Protection Policy can be found here: Processor Data Protection Policy – GSS
Given the nature of our website, we do not expect to collect the personal data of anyone under 18 years old. If you are aware that any personal data of anyone under 18 years old has been shared with our website, please let us know so that we can delete that data.
GSS may update this Privacy Notice from time to time which will be indicated by changing the date at the top of the Notice. Please check it periodically on our website for changes. This Privacy Notice dated 20 March 2026 supersedes the Privacy Notice dated 24 February 2025.
Sources of Personal Data
We collect Personal Data from you:
- directly, when you enter or send us information (such as when you register to attend our events, contact us via email or join our mailing lists);
- indirectly, via cookies on our website (see our Cookie Notice).
For the purposes of Screening Services, GSS obtains Personal Data from a range of sources, including, but not limited to:
- Publicly available sources, such as official governmental departments and bodies (e.g. OFAC, EU, UK, UN);
- Third party commercial providers such as Factiva, trading as Dow Jones; and
- GSS Users (e.g., financial institutions which will include those you have banking relationships with).
GSS Purposes
Under Data Protection Laws, we can only use your Personal Data if we have a proper reason, for example:
- where you have given consent;
- where the processing is in the public interest;
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your Personal Data, so long as this is not overridden by your own rights and interests. We carry out an assessment when relying on legitimate interests to ensure our interests are balanced against your own.
We collect, Process and use Personal Data for different purposes (GSS Purposes), which include the following:
| Purpose/Activity | Types of data | Lawful Basis |
| Inform you about our products and services | Contact details | Legitimate Interest Consent |
| Improve our marketing and advertising activities, as well as to improve the contents and services offered on the website | Contact details | Legitimate Interest Consent |
| Certain Processing activities for the purposes of Sanction Screening across the GSS platform | Personal Data that appears in Public Sanctions Lists and/or other publicly available sources | Legitimate Interest Public Interest |
Marketing Communications and Cookies
We may use your Personal Data to send you updates about our products and services, We have a legitimate interest in using your personal data for marketing purposes, which means we do not need your consent to send you marketing information. However, you have the right to opt-out of receiving marketing communications at any time by:
- clicking the unsubscribe link at the bottom of any email you receive from us;
- completing a Data Subject Request;
- Emailing privacy@gss-rose.com.
For more information on your right to object to the Processing of your Personal Data, please see Data Subject Rights below.
Recruitment/Prospective & work experience candidates
We manage our recruitment activities through our career site which is linked here: Careers page – GSS. Our careers privacy notice is available here: Privacy Policy – GSS UK Services Limited.
Lawful bases for Processing Personal Data
GSS may receive business contact details of employees and other individuals associated with GSS Users, Partners, and Vendors, such as first and last name, e-mail address, phone number, title and department, and other information relevant to the business relationship. GSS Users, Partners and our third-party vendors must ensure that they do so in accordance with all applicable data protection laws and regulations, including providing notice to the individual about GSS Purposes and, where required, obtaining appropriate consent.
Our and others’ legitimate interests
As summarised above, GSS Processes Personal Data on the basis that it is in our or others’ legitimate interest. We generally Process special category and criminal data for reasons of substantial public interest pursuant to Data Protection Laws.
It is in our legitimate interests to carry on a business to facilitate and assist GSS Users to undertake screening checks (Screening Services), in meeting their legal obligations to comply with applicable laws and regulations. The public also have a legitimate interest in ensuring that financial crime, fraud and serious misconduct or dishonesty are prevented and detected.
Further, GSS Processes Personal Data, including special category data, on the basis that the Processing is necessary for reasons of substantial public interest, based on applicable Data Protection Laws (including laws designed to combat money-laundering, bribery and corruption and avoidance of sanctions).
Categories of Personal Data
For the specific purpose of the provision of Screening Services, GSS may receive a range of Personal Data about you from a variety of sources. Personal Data may include, amongst other data, payment and/or transaction data and Personal Data relating to beneficiaries of any receipt of funds. GSS does not control the content of Personal Data that has been collected by those sources. Neither is GSS responsible for its accuracy. For further details on the source of Personal Data we collect and Process, please see our Processor Data Protection Policy which provides further information on the source of that data. As part of any contractual arrangements you may have or had with GSS Users, you will have already been provided with a copy of their Privacy Notice at that time. Should you wish to receive this information again, or require any other additional information on what is held about you by those institutions, you will need to direct your query to the relevant institution concerned. For the specific purpose of Screening Services, GSS does not obtain Personal Data directly from you as an individual. If you wish to exercise any of your data rights under Data Protections Laws in respect of your Personal Data, you are required to make contact direct with the relevant organisation in question. Please see our Processor Data Protection Policy for further information.
Sharing Personal Data
We make available Personal Data we have obtained from the various sources as outlined above, to a variety of recipients, for the purpose of our Screening Services and as required by, or to comply with applicable law(s). Our third-party service providers are not permitted to share or use Personal Data we make available to them for any purpose other than to provide services to us.
GSS will not transfer, disclose, sell, distribute, or lease Personal Data about you to third parties other than as described in this Privacy Notice as reasonably necessary unless we have your permission or as required or permitted by law. If we transmit Personal Data to third parties who partner with us or provide services to us, we will use reasonable efforts to ensure that these third parties also comply with this GSS Website Privacy Notice and applicable privacy laws.
If Personal Data about you is included in any information we receive from our various sources for the provision of our services, it is made available to the following parties:
- GSS Users. We only make Personal Data which is used as part of our Screening Services available to GSS Users that have a legitimate need to access the information for the fulfilment of their legal obligations and/or their legitimate interests. We also require that they only use it for the purposes of carrying out Screening Services or to otherwise comply with applicable laws and regulations.
- Third Party Service Providers. To assist us in supplying and maintaining the provision of our Screening Services, we allow a limited number of third-party service providers to access information held by us (e.g. IT systems providers, hosting providers, providers of technical support). We have contracts in place with all our third-party service providers that align with Data Protection Laws. Our contracts with our service providers include commitments from them that they only use the information for the purposes specified in our agreements or where they may be compelled to do so in accordance with applicable laws and regulations. We will use reasonable efforts to ensure that these third parties also comply with this Privacy Notice and applicable Data Protection Laws.
- Authorities, Courts and Tribunals. We may also disclose information about you to competent authorities (including any national and/or international regulatory or enforcement body or court or other form of tribunal) in connection with one or more of the purposes outlined above where we are required to do so or at their request.
Securing Personal Data
We take information security seriously and use a range of physical, electronic and operational measures to keep your Personal Data secure, accurate and relevant. We are ISO27001 certified, which means we follow top industry standards for information security.
We also have procedures in place to deal with any suspected data security breach. We will notify you, and any applicable regulator, of a suspected data security breach where we are legally required to do so.
Retaining Personal Data
We will not keep your Personal Data for longer than we need it, for the original purpose for which it was used. We calculate retention periods for your Personal Data in accordance with the following criteria:
- the length of time your Personal Data remains relevant to Screening Services;
- the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations;
- any limitation periods within which claims might be made;
- any retention periods prescribed by law, including Data Protection Laws or recommended by regulators, professional bodies or associations or inter-governmental bodies (for example, the Financial Action Task Force); and
- the existence of any relevant legal or regulatory proceedings.
Cross Border Transfers
We may transfer Personal Data we collect about you to countries other than the country in which the information was originally collected. Countries outside of the UK have differing data protection laws, some of which may provide lower levels of privacy protection. If it is necessary for us to transfer your Personal Data to a country outside the UK, the transfer will be done in compliance with Data Protection Laws which govern the Processing, retention and transfer of Personal Data transferred to other countries outside of the UK and EU/EEA. When we transfer Personal Data to other countries, we will put in place appropriate safeguards and protections (such as standard contractual clauses), and where necessary, supplemental measures, that align to Data Protection Laws. We may transfer Personal Data to countries that have been formally deemed adequate under Data Protection Laws, without putting in place additional safeguards and protections.
Data Subject Rights
Where GSS has received Personal Data from another source
As set out in this Privacy Notice, GSS obtains Personal Data from a variety of sources. If you wish to find out more about the Personal Data held about you by a specific organisation or official government body, how and why they Process your Personal Data, or if you wish to exercise your statutory rights, please see our Data Protection Policy which provides further details on who those organisations may be and, where possible, how to contact them.
GSS as a data Controller for GSS Purposes
Subject to certain exceptions and exemptions, and where applicable, you may have the following rights under Data Protection Laws, in respect of your Personal Data:
| Right to Access | You may have rights under Data Protection Laws to have access to your information and to ask us to rectify, erase and restrict use of your Personal Data. You may also have rights to object to your information being used and to withdraw consent to the use of your information. Further information on how to exercise your rights is set out below. |
| Right of subject access | The right to make a written request for details of your Personal Data and a copy of Personal Data we hold about you. |
| Right to rectification | The right to have inaccurate information about you corrected or removed. |
| Right to erasure (‘right to be forgotten’) | The right to have certain Personal Data about you erased. |
| Right to restrict Processing | The right to request that your Personal Data is only used for restricted purposes. |
| Right to object | The right to object to Processing of your Personal Data in cases where our Processing is based on the performance of a task carried out in the public interest or we have let you know the Processing is necessary for our or a third party’s legitimate interest. |
| Right to withdraw consent | The right to withdraw your consent, where the lawful basis for Processing your Personal Data was based on consent. |
| Right not to be subject to decisions without human involvement | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. We do not make any such decisions based on data collected by our website or held in our marketing database. |
If you would like to exercise any of those rights, please complete a Data Subject Request or contact us.
We do not charge a fee where you wish to exercise any of your rights, but we will ask for information to verify your identity. This is to safeguard your own privacy. Any identification evidence that you provide will only be used to verify your identity for the purpose of your requests.
There are limits to the rights that you have in relation to your Personal Data and in certain circumstances we may not be required or able to meet your request, or we may meet your request in part only. Where this occurs, we will provide you with an explanation of the legitimate basis on which we are unable or not required to meet your request.
Contacting us
If you would like to know more about how we Process your Personal Data, your rights as a data subject, reasons we are using your Personal Data, or if you are unhappy with the Processing of your Personal Data, please contact us in writing at:
Data Privacy Office, GSS UK Services Limited, 1-3 Fredericks Place, London, EC2R 8AE, United Kingdom
Email: privacy@gss-rose.com.
ICO details (UK)
If you remain dissatisfied with the way we are handling your Personal Data or with the way we have dealt with your concerns, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact the Information Commissioner’s Office at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. You can lodge a complaint via the Information Commissioner’s Office website: Make a complaint about how an organisation has used your personal information | ICO
Helpline number: 0303 123 1113 ICO website: www.ico.org.uk
Irish DPC details (EU)
You may direct your questions or complaints to the Data Protection Commission in Ireland, which is our lead supervisory authority at, Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland. You can also visit the DPC website.
Helpline number: +353 578 684 800 DPC website: www.dataprotection.ie/en
Changes to this Privacy Notice
GSS may update this Privacy Notice from time to time which will be indicated by changing the date at the top of the Notice.
Glossary of Terms
| Controller | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data |
| GDPR | Both UK and EU GDPR |
| GSS User | means the customers of GSS who subscribe to the GSS Screening Services |
| GSS Purposes | GSS processing activities as set out in the GSS Privacy Notice |
| GSS Screening Services | Facilitation and assistance provided to GSS Users to undertake screening checks |
| Personal Data | means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| Processor | means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller |
[1] References to GDPR include both EU and UK GDPR
